Protect your APIs
in one line of code
Drop-in rate limiting, bot detection & brute force protection for Node.js. Works with Next.js, Express, Fastify, Hono. Zero dependencies, zero lock-in.
Features
Everything you need to protect your API — rate limiting, bot detection, brute force protection, geo-blocking — all in one lightweight package.
Sliding Window Rate Limiting
Smooth, accurate rate limiting with no burst spikes at window boundaries. Weighted average of current + previous window.
Bot Detection
Automatically detect and block bots by analysing User-Agent strings, browser header patterns, and custom blocklists.
Brute Force Protection
Progressive delays and lockouts for login endpoints. Configurable thresholds and block durations per route.
Geo-Blocking
Allow or block traffic by country using ISO codes. Built-in IP-to-country lookup with caching.
Per-Route Configuration
Different limits for different endpoints. Glob patterns, named params, and skip rules.
Zero Dependencies
The core has no external dependencies. Works on the edge, in serverless, everywhere Node.js runs.
Quick Start
Install the package, add one import, and your API is protected. Works with your existing framework.
Install the package
npm install @tumull/shield
Import and configure
One function call with your limits
You're done
Your API is now rate-limited with 429 responses
// middleware.ts
import { shield } from '@tumull/shield'
export default shield({
limit: 100,
window: '1m',
})
export const config = {
matcher: '/api/:path*',
}Algorithms
Three battle-tested algorithms, each optimised for different traffic patterns.
Sliding Window
Weighted average of current + previous window. Gives the smoothest rate limiting — no burst spikes at window boundaries.
Fixed Window
Simple counter that resets at fixed intervals. Fast and low memory, but can allow 2x limit at boundaries.
Token Bucket
Bucket starts full, tokens refill at a constant rate. Allows controlled bursts up to the full bucket size.
How Shield Stacks Up
Feature-for-feature comparison with other popular rate limiting solutions.
| Feature | Shield |
|---|---|
| Next.js middleware | ✓ |
| Edge runtime | ✓ |
| Zero dependencies | ✓ |
| Sliding window | ✓ |
| Bot detection | ✓ |
| Brute force protection | ✓ |
| Per-route config | ✓ |
| Free & open source | ✓ |
Works With Your Stack
First-class support for the most popular Node.js frameworks. Or use it with plain HTTP.
Next.js
Middleware & API Routes
Express
Classic Middleware
Fastify
Plugin System
Hono
Edge-Native
Node.js
Raw HTTP
Pluggable Storage
Start with in-memory, scale to Redis or Upstash. Or bring your own store.
Memory
No setup needed. LRU eviction keeps memory bounded. Perfect for dev and single-server deployments.
Redis
Shared state across multiple instances. Persistent. Works with ioredis or any Redis-compatible client.
Upstash
HTTP-based Redis. Works in edge runtimes — Vercel Edge, Cloudflare Workers, and more.
shield({
limit: 100, // requests per window
window: '1m', // 30s, 1m, 5m, 1h, 1d
block: '15m', // block duration
algorithm: 'sliding-window',
// per-route overrides
routes: {
'/api/auth/login': {
limit: 5, window: '5m', block: '30m'
},
'/api/public/*': { limit: 500 },
'/api/webhook/*': { skip: true },
},
store: 'memory', // or Redis, Upstash
botDetection: true,
blockBots: ['scrapy', 'curl'],
allowlist: ['127.0.0.1'],
headers: true, // X-RateLimit-* headers
})One Config. Full Control.
Set global limits, override per route, enable bot detection, configure geo-blocking — all from a single object.
Flexible time formats
"30s", "1m", "5m", "1h", "1d" or raw milliseconds
Route patterns
Exact, glob (/*), deep (/**), and named params (/:id)
Custom key extraction
Rate limit by IP, API key, user ID, or any custom logic
Protect Your API
Today
Get started in under a minute. Free, open source, MIT licensed.